Building a Policy to Profile Polycom IP Phones in ISE 2.3

I have a remote office that uses Polycom IP Phones connected to 2960S switches. When I plug the phones into the switch the phone gets on the network and gets a DHCP address but the IP is from the Data VLAN not the Voice VLAN.  The goal here is for ISE to profile the IP Phones and to authorize them into the Voice VLAN.

 

We see that ISE already has a Polycom Device Profiling Policy.

Update:  If you check here Craig Hyps @ Cisco has posted a great Polycom Profiler Pack. After importing the XML doc you will get much more granular info about the Polycom Model, just do it.

 

The detail of that Policy only contains the one rule to check for Polycom OIU Check.  It’s pretty simple.

 

The PolycomOUICheck is also pretty simple, is the MAC correct?

 

So at this point, we know that ISE can identify for Polycom MAC Addresses and when the Polycom MAC Address is found ISE Certainty Factor Increases by 10.  Good, lets put the Profiling Policy into a Network Access Policy Set.

First, let’s create the Authorization Profile Result.

Work Centers -> Network Access -> Policy Elements -> Results -> Authorization Profiles -> Add

 

Give your Profile a Name & Description, Access Type needs to be Access-Accept. For the Network Device Profile, I use Cisco for a few reasons. In Common Tasks click Voice Domain Permission. This will cause ISE to send a CoA to the switch that tells the switch to change the VLAN on the IP Phone to the Voice VLAN when a device passes the Authorization Profile.

 

Now we will create the Network Access Policy.

Go to Work Centers -> Network Access -> Policy Sets.  Click the + and create a new Policy Set.

As you can see my Policy Set is called Wired Profiling. My Policy Authorizes multiple types of devices. Your’s likely is or will be too. I just match Device Type: Wiring Closet Switches. For an Authentication Policy, I use the Library Condition Wired_MAB because there is no reason to recreate the wheel.

 

 

For the Authorization Policy, I gave a descriptive Name, for the Condition I’m using EndPoints: EndPointPolicy EQUALS Polycom-Device. Remember, Polycom-Device is the first thing we looked at in this post.

 

Let’s check our RADIUS Live Logs.

Here we can the OUI matches a Polycom OUI. We can see the Authentication Policy hit the policy we created, we can see the Authorization Policy hit the policy we created and the Authorization Profile was assigned to the one we created. 

Finally,  if we look at the authorization status of the switchport we can see that the MAC address has been placed onto the Voice Domain.

 

I hope this helped you.  Please feel free to comment or question anything in the post.

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *